Bug 1195465

Summary: update to lighttpd-1.4.64-bp153.2.3.1.x86_64 breaks userdir public_html
Product: [openSUSE] openSUSE Distribution Reporter: Dirk Weber <d_werner>
Component: SecurityAssignee: Andreas Stieger <Andreas.Stieger>
Status: RESOLVED FIXED QA Contact: E-mail List <qa-bugs>
Severity: Normal    
Priority: P5 - None CC: Andreas.Stieger, jsegitz, meissner
Version: Leap 15.3   
Target Milestone: ---   
Hardware: x86-64   
OS: openSUSE Leap 15.3   
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Dirk Weber 2022-02-02 20:34:10 UTC
After todays maintenance Update to 
lighttpd-1.4.64-bp153.2.3.1.x86_64.rpm
userdirs (public_html) are no longer accessible via lighttpd.

Urls in the style
http://localhost/~user/ 
now result in an error message (404).

The problem seems to be caused by the hardening settings in the new
/usr/lib/systemd/system/lighttpd.service
file.

It now contains additionally:

# added automatically, for details please see
# https://en.opensuse.org/openSUSE:Security_Features#Systemd_hardening_effort
ProtectSystem=full
ProtectHome=true
PrivateDevices=true
ProtectHostname=true
ProtectClock=true
ProtectKernelTunables=true
ProtectKernelModules=true
ProtectKernelLogs=true
ProtectControlGroups=true
RestrictRealtime=true
# end of automatic additions 


Creating a 
/etc/systemd/system/lighttpd.service
without these settings - this means to fall back to the old services file -
 and disable/enable the service in order to update the links and restart it restores the functionality.

With just disabling 
ProtectHome=true
and keep the other hardening settings active the
http://localhost/~user/ 
access also works.

So ProtectHome=true seems to be the culprit in this case.
Comment 1 Dirk Weber 2022-02-02 21:52:43 UTC
After checking options for ProtectHome on 
https://www.freedesktop.org/software/systemd/man/systemd.exec.html
I found read access to the home directories public_html is also working with:
ProtectHome=read-only
Maybe this is a better setting for lighttpd than to drop it completely.

Just as cross-reference: added this bug to bug 1181400 and set to security as these hardening seems to be added automatically.

BTW: I also already observed this problem on Tumbleweed for some weeks but did not have time to track it down. I suspected it was caused by a change in lighttpd's configuration files and failed to get it to work by just modifying those and incorparate the changes from the rpmnew files.
Comment 2 Johannes Segitz 2022-02-03 07:42:13 UTC
Yes, ProtectHome=read-only is a better setting. Thanks for reporting this here, I'll submit a fix
Comment 3 Marcus Meissner 2022-02-03 13:43:02 UTC
i think andreas submitted the maintenance update, cc
Comment 4 Andreas Stieger 2022-02-03 17:13:23 UTC
submitted to Tumbleweed and Leap
Comment 5 OBSbugzilla Bot 2022-02-03 17:50:05 UTC
This is an autogenerated message for OBS integration:
This bug (1195465) was mentioned in
https://build.opensuse.org/request/show/951357 Factory / lighttpd
https://build.opensuse.org/request/show/951358 Backports:SLE-15-SP3 / lighttpd
Comment 6 Swamp Workflow Management 2022-02-07 08:17:09 UTC
openSUSE-RU-2022:0029-1: An update that has one recommended fix can now be installed.

Category: recommended (moderate)
Bug References: 1195465
CVE References: 
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP3 (src):    lighttpd-1.4.64-bp153.2.6.1